SSH CA + gpg-agent + gnuk => error

NIIBE Yutaka gniibe at fsij.org
Fri Oct 18 13:50:21 CEST 2019


Brennecke, Simon wrote:
> I have a question regarding the interaction of SSH with gpg-agent
> (and possibly also gnuk).
[...]
> So I generated a new ECC key in gnuk, imported the public keys in gpg.
> Added the keygrip everything to "~/.gnupg/sshcontrol"

Just FYI, for smartcard, adding a keygrip in sshcontrol is not needed,
if it is OK for your gpg-agent to just fail for signing request when
smartcard is not available.

> "ssh-add -L" shows me the key.
> I signed it with the CA.
> ssh tries to use the key...
> ... and this is where the error pops up.
>
> ssh tells me:
> sign_and_send_pubkey: signing failed: agent refused operation
>
> and gpg-agent tells me:
> gpg-agent[21629]: ssh request handler for sign_request (13) started
> gpg-agent[21629]: DBG: detected card with S/N D276000124010200FFFE430322340000
> gpg-agent[21629]: smartcard signing failed: General error
> gpg-agent[21629]: ssh sign request failed: General error <GPG Agent>

I don't think it is related to OpenSSH certificate.  For some reason,
possibly a bug, smartcard singing failed.  You can configure
.gnupg/scdaemon.conf with something like:
====================
debug-level guru
debug-all
verbose
log-file /run/user/1000/scd.log
====================
to see what's going on.


			*	*	*

Here is another information, related.

OpenSSH certificate authentication doesn't work well with gpg-agent
(yet).  Ideally, OpenSSH certificate should be under control of
gpg-agent.

For detail, you can see:

    https://dev.gnupg.org/T1756
    https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031479.html

Protocol-wise, for gpg-agent, it is expected that the ssh does:

  * ssh askes ssh-agent (in our case, gpg-agent) to get OpenSSH
    certificate by REQUEST_IDENTITIES command

  * (only after) REQUEST_IDENTITIES command, ssh askes ssh-agent
    challenge-response by SIGN_REQUEST command

But the first part does not occur by current OpenSSH client.  The client
by itself answers back to the server using the certificate on disk
(under .ssh/), without asking ssh-agent.
-- 



More information about the Gnupg-users mailing list